European Data Protection Supervisor
European Data Protection Supervisor

EDPS welcomes agreement on new data protection rules for the EU institutions and bodies

EDPS welcomes agreement on new data protection rules for the EU institutions and bodies

23/05/2018
23
May
2018

EDPS welcomes agreement on new data protection rules for the EU institutions and bodies

Just two days from now, the General Data Protection Regulation (GDPR) will become fully applicable to all companies and organisations operating within the EU. We welcome the news that the EU legislator has now reached a political agreement on equivalent rules on data protection in the EU institutions and bodies and we will continue to support the EU institutions to ensure that they are ready to implement these rules from day one, the European Data Protection Supervisor (EDPS) said today.

Giovanni Buttarelli, EDPS, said: We are now only two days away from what will be an historic day for data protection in the European Union. The GDPR will become fully applicable on 25 May 2018, bringing with it a big shift towards the principle of accountability and stronger powers of enforcement. We welcome today’s announcement of a political agreement on equivalent rules for the EU institutions and bodies and call for their swift adoption and publication, to ensure that they become applicable without further delay. As the supervisory authority responsible for monitoring and ensuring the protection of personal data in the EU institutions and bodies, the EDPS has undertaken to ensure that the EU institutions will be adequately prepared.

The GDPR applies to all companies and organisations that process personal data within the EU. It does not, however, apply to the EU institutions and bodies, which must adhere to separate rules, currently set out in Regulation 45/2001. The revised rules on data protection in the EU institutions, agreed upon by EU lawmakers today, bring Regulation 45/2001 in line with the high standards of data protection provided for in the GDPR. They reflect the new emphasis on accountability, requiring the EU institutions to actively demonstrate their compliance with data protection rules, and prioritise practical safeguards for individuals rather than bureaucratic procedures.

In anticipation of the revised rules, the EDPS has been working closely with Data Protection Officers (DPOs) and other representatives from all EU institutions, bodies and agencies to prepare them for the changes to come. These activities not only include interactive workshops organised as part of our twice-yearly DPO meetings, but also targeted visits, training sessions and conferences aimed at ensuring that all EU staff involved in the processing of personal data, no matter their place in the EU hierarchy, are aware of the new rules and what they entail. With the revised rules now finalised, the EDPS will continue to intensify these efforts as part of an awareness-raising campaign, aimed at ensuring that the EU institutions have the necessary knowledge and tools to apply the new rules in an exemplary fashion.   

EU citizens must be able to enjoy the same strengthened rights when dealing with the EU institutions as they will enjoy under the GDPR. The revised rules on data protection in the EU institutions and bodies agreed upon today will ensure that they are able to do so.

Background information

The rules for data protection in the EU institutions, as well as the duties of the European Data Protection Supervisor (EDPS), are set out in Regulation (EC) No 45/2001. The EDPS is a relatively new but increasingly influential independent supervisory authority with responsibility for monitoring the processing of personal data by the EU institutions and bodies, advising on policies and legislation that affect privacy and cooperating with similar authorities to ensure consistent data protection.

Giovanni Buttarelli (EDPS) and Wojciech Wiewiórowski (Assistant EDPS) are the members of the institution, appointed by a joint decision of the European Parliament and the Council. Assigned for a five year term, they took office on 4 December 2014.

 

Personal information or data: any information relating to an identified or identifiable natural (living) person. Examples include names, dates of birth, photographs, video footage, email addresses and telephone numbers. Other details such as IP addresses and communications content - related to or provided by end-users of communications services - are also considered as personal data.

Processing of personal data: According to Article 2(b) of Regulation (EC) No 45/2001, processing of personal data refers to "any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction." See the glossary on the EDPS website.

EU Data Protection Reform package:

On 25 January 2012, the European Commission adopted its reform package, comprising two legislative proposals:

  • a general Regulation on data protection which was adopted on 24 May 2016, applicable as of 25 May 2018; and
  • a specific Directive on data protection in the area of police and justice, adopted on 5 May 2016, applicable as of 6 May 2018.

The official texts of the Regulation and the Directive are now recognised as law across the European Union (EU). Member States have had two years to ensure that they are fully applicable in their countries by 25 May 2018.